Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20140804173249.GL24041@dhcp-25-225.brq.redhat.com>
Date: Mon, 4 Aug 2014 19:32:50 +0200
From: Petr Matousek <pmatouse@...hat.com>
To: oss-security@...ts.openwall.com
Cc: aliguori@...zon.com, mst@...hat.com, Amit Shah <amit.shah@...hat.com>,
        Laszlo Ersek <lersek@...hat.com>
Subject: CVE Request --  qemu: missing field list terminator in
 vmstate_xhci_event

It was found that vmstate_xhci_event field list was missing
VMSTATE_END_OF_LIST() terminator and traversing through this list
would result in out-of-bounds access during vm state saving and
loading.

Depending on how vmstate_xhci_event is placed in the qemu binary,
this issue can range from non-issue, infinite loop to (potentially)
privilege escalation in case the we end up with fields that have info
and/or field_exist members initialized in a way that is useful for
exploitation (most probably unlikely).

In the worst case, attacker able to alter the migration data could
use this flaw to to corrupt QEMU process memory.

Upstream commit:
http://git.qemu.org/?p=qemu.git;a=commit;h=3afca1d6d413592c2b78cf28f52fa24a586d8f56

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1126543

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team
PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3  D874 3E78 6F42 C449 77CA

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.